I built a cryptographic passport for AI agents — here's how it works

A developer built LIME, a cryptographic identity layer for AI agents that provides signed JWT passports (RS256) verifiable by any website in under 10ms via a JWKS endpoint. The system uses Proof-of-Work challenges instead of CAPTCHAs and supports fully headless authentication without browsers or redirects. Built in Rust with Python SDKs, LIME aims to give agents portable identity similar to what OAuth provided for humans.

AI agents can write code, browse the web, send emails. But ask a simple question: "How does this agent prove its identity to another service?" — and you'll hit a wall. Modern identity systems OAuth, SSO, API keys are built for humans who click buttons in a browser. An autonomous agent needs something different: Agents don't need "accounts" on platforms. They need portable identity — like a passport in the real world. I built LIME — a cryptographic identity layer for AI agents. Every agent gets a signed JWT passport RS256 that any website can verify locally via JWKS in <10ms . Key advantage: verification happens without external calls to our API. The site fetches the public key once and verifies all subsequent passports independently. The flow is designed for fully headless scenarios — no browsers, no redirects: Site creates a login request POST /api/v1/modules/agent-login/requests with X-Site-Token → receives login request id . Agent fetches the PoW challenge GET /api/v1/auth/requests/{id} → receives cryptographic challenge. Agent solves Proof-of-Work Instead of a captcha — SHA-256 with difficulty=15 ~50ms CPU . SDK solves it automatically. Agent approves login POST .../approve with X-Agent-Token and pow nonce → site receives JWT via SSE stream. Site verifies passport locally Via JWKS endpoint — zero latency, no external calls . ├── Core — identity, JWT, JWKS, PassportContext ├── Foundation — owner registration, sessions, KYC ├── Modules — site login, MCP OAuth ├── Infrastructure — PostgreSQL, Redis, crypto adapters └── Composition — single DI assembly point Tech stack: Why Rust for crypto? ✅ Cryptographic passport RS256 JWT — agent receives a signed identity. ✅ JWKS endpoint — public key for zero-latency verification. ✅ MCP OAuth provider — OAuth 2.1 Authorization Server for Anthropic MCP. ✅ Site Login API — headless auth with PoW and SSE. ✅ Python SDK — lime-agents-sdk and lime-sites-sdk on PyPI. ✅ 100% test coverage + 40+ merge-blocking quality gates. ✅ Rust-first crypto core — all critical ops via PyO3. The LIME ecosystem is growing: "By 2027, every AI agent will have a cryptographic passport. API keys don't scale. Security requires verifiable identity." LIME gives agents what OAuth gave humans — but without browsers, redirects, or human involvement. It's the infrastructure layer for the agent economy. We're in Early Access and looking for pilot partners. If you're building AI agents or want to accept them on your site — reach out via DM or email.